[SLING-4019] ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Security 1.0.8
Component/s: None
Labels:
None

Description

The ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false.

The reasons is that the attacker can force an empty referrer in at least two ways:

is the victim site runs using http the attacker can create a "mallory page" under an https site. In this case (namely https-to-http) the referrer is not passed.
The attacker create a dynamic post doing something like:

<head>
<script>
function load() {

    var postdata = '<form id=dynForm method=POST action=\'https://www.google.com\'>' +

                    '<input type=hidden name=email value=example@live.com />' +

                    '<input type=hidden name=pass value=password />' +

                    '<input type=hidden name=locale value=en_US />' +

                    '</form>';
    top.frames[0].document.body.innerHTML=postdata;
    top.frames[0].document.getElementById('dynForm').submit();
}
</script>
</head>
<body onload="load()">
<iframe src="about:blank" id="noreferer"></iframe>
</body>
</html>

Attachments

Activity

People

Assignee:: Antonio Sanso

Reporter:: Antonio Sanso

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Oct/14 14:15

Updated:: 26/Feb/15 13:02

Resolved:: 16/Feb/15 15:44